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1 This action is in response to the communication filed on 7/12/2007. 

2 DETAILED ACTION 

3 Claims 1-10, 13-25, 28-38, 40-47, and 49-55 have been examined. 

4 Continued Examination Under 3 7 CFR 1.114 

5 A request for continued examination under 37 CFR 1.114 was filed in this application 



6 after a decision by the Board of Patent Appeals and Interferences, but before the filing of a 

7 Notice of Appeal to the Court of Appeals for the Federal Circuit or the commencement of a civil 

8 action. Since this application is eligible for continued examination under 37 CFR 1.114 and the 

9 fee set forth in 37 CFR 1 .17(e) has been timely paid, the appeal has been withdrawn pursuant to 

10 37 CFR 1.114 and prosecution in this application has been reopened pursuant to 37 CFR 1.114. 

1 1 Applicant's submission filed on 7/12/2007 has been entered. 



12 Specification 

13 The disclosure is objected to because it contains an embedded hyperlink and/or other 

14 form of browser-executable code. Applicant is required to delete the embedded hyperlink and/or 

15 other form of browser-executable code. (See the specification Page 2 Line 1). See MPEP § 

16 608.01. 

1 7 Claim Rejections - 35 USC §103 
18 

19 The following is a quotation of 35 U.S. C 103(a) which forms the basis for all 

20 obviousness rejections set forth in this Office action: 

21 (a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 

22 section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 

23 such that the subject matter as a whole would have been obvious at the time the invention was made to a person 

24 having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 

25 manner in which the invention was made. 
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1 

2 Claims 1-3, 5-10, 13-14, 16-18, 20-25, 28-29, 31 and 55 are rejected under 35 U.S.C. 

3 103(a) as being unpatentable over Trcka et al. (US Patent Number 6,453,345) hereinafter 

4 referred to as Trcka, and further in view of Stevens (TCP/IP Illustrated). 

5 Regarding claims 1, 16, and 31, Trcka disclosed a system for providing passive 

6 screening of transient messages in a distributed computing environment (See Trcka Abstract), 

7 comprising: a network interface (See Trcka Fig. 1 Element 38) passively monitoring a transient 

8 packet stream in a network boundary (See Trcka Col. 2 Lines 1 1-22) comprising receiving 

9 incoming datagrams structured in compliance with a network protocol layer (See Trcka Col. 2 

10 Lines 23-24); an antivirus scanner scanning contents of the packets for a presence of at least one 

11 of a computer virus and malware to identify infected message contents (See Trcka Col. 3 Line 66 

12 - Col. 4 Line 16); and a protocol specific module processing each packet based on the protocols 

13 employed by the packet (See Trcka Col. 13 Lines 32-49), but Trcka failed to specifically disclose 

14 a packet receiver reassembling one or more of the incoming datagrams into a segment structured 

1 5 in compliance with a transport protocol layer; or that the protocol specific module processed the 

16 reassembled datagrams based on the transport protocol layer employed by the reassembled 

17 datagram. However, Trcka did disclose performing virus scanning on specific upper layer files 

1 8 such as FTP, HTTP, SMTP, and others (See Trcka Col. 14 Lines 62-67). 

1 9 It was well known that in the Internet Protocol there are multiple layers and that each 

20 layer contains different modules, such as the TCP module and the UDP module of the transport 

21 layer. It was also well known that in order to get to the data in the application layer packet, such 

22 as the payload and the packet type, the transport layer module must process the transport layer 

23 packet to reveal the application layer packet. This is evidenced by Stevens Pages 6-11. 
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1 It would have been obvious to the ordinary person skilled in the art at the time of 

2 invention to employ what was well known in the art of networking and TCP/IP in order to gain 

3 access to the data in the packets for scanning, by demultiplexing (reassembling) the incoming 

4 Ethernet frames into IP packets, and then demultiplexing the IP packets into the proper transport 

5 layer segments according to the proper protocols in order to extract the data from the packets. 

6 This would have been obvious because the ordinary person skilled in the art would have been 

7 motivated to use what was common and well known in the art. 

8 Regarding claims 2 and 17, Trcka and Stevens disclosed an incoming queue staging each 

9 incoming datagram intermediate to reassembly (See Trcka Col. 4 Line 8-10). 

10 Regarding claims 3 and 18, Trcka and Stevens disclosed a network protocol-specific 

1 1 decoder decoding the reassembled segment prior to scanning (See Stevens Page 1 1 and the 

12 rejection of claim 1 above). 

13 Regarding claims 5-6 and 20-21, Trcka and Stevens disclosed the antivirus scanner takes 

14 an action if the reassembled segment is infected with at least one of a computer virus and 

15 malware, wherein the action comprises at least one of logging an infection; generating a 

16 warning; spoofing a valid datagram in place of the infected datagram; and acquiescing to the 

17 infection (See Trcka Col. 13 Lines 1-15). 

18 Regarding claims 7-10 and 22-25, Trcka and Stevens disclosed a protocol-specific queue 

19 staging each reassembled segment with other reassembled segments sharing the same transport 

20 protocol layer (See Trcka Col. 17 Line 56 - Col. 18 Line 14, Col. 19 Lines 55-59 and Col. 20 

21 Lines 30-35), an information record storing information dependent on the same transport 

22 protocol layer with the staged reassembled segment (See Trcka Col. 12 Lines 7-1 1 and Col. 20 
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1 Lines 34-35), a contents record storing the contents with the staged reassembled segment (See 

2 Trcka Col. 18 Lines 15-52), and wherein the information comprises at least one of a source 

3 address, source port number, destination address, destination port number, URL, file name, user 

4 name, sender identification, recipient identification, and subject (See Trcka Col. 18 Lines 3-14). 

5 Furthermore, in the demultiplexing taught by Stevens, it would be obvious for each "protocol 

6 box" which is receiving data and acting on the, to have a queue for storing the data before and 

7 during the processing of this protocol specific data. This would be obvious because the ordinary 

8 person skilled in the art would have been motivated to not lose the data if a "protocol box" is 

9 processing data slower than it is receiving the data. 

10 Regarding claims 13-14, and 28-29, Trcka and Stevens disclosed an event correlator 

1 1 analyzing the transient packet stream for events indicative of a network service attack (See Trcka 

12 Abstract and Col. 13 Lines 5-15), and a data repository maintaining each event (See Trcka Col. 7 

13 Lines 28-32). 

14 Regarding claim 55, Trcka and Stevens disclosed that the incoming datagrams include IP 

15 datagrams that are reassembled into TCP segments (See Trcka Col. 14 Lines 61-67). 

16 Claims 4, 19, 32-38, 40-47, and 49-52 are rejected under 35 U.S.C. 103(a) as being 

17 unpatentable over Trcka and Stevens as applied to claim 1 above, and further in view of Cheriton 

1 8 (US Patent Number 7,054,930). 

19 Trcka and Stevens disclose detecting and responding to network attacks (See Trcka Col. 

20 1 1 Lines 14), but failed to specifically disclose detection or response to Denial of Service 

2 1 attacks, or terminating the transient packet stream if the reassembled segment is not infected with 

22 at least one of a computer virus and malware. 
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1 Cheriton teaches that in a network, denial of service attacks can result in significant loss 

2 of time and money for many organizations (See Cheriton Col 1 Lines 19-21), and further 

3 teaches detection of denial of service attacks (See Cheriton Col. 3 Lines 29-45) and teaches 

4 generation and refinement of filters for stopping the attack packets, and forwarding these filters 

5 upstream (See Cheriton Col. 2 Lines 16-24 and Col. 3 Lines 29-45, and Claim 7). 

6 It would have been obvious to the ordinary person skilled in the art at the time of 

7 invention to employ the teachings of Cheriton in the network surveillance system of Trcka and 

8 Stevens by detecting Denial of Service attacks, and upon detection of such, creating a filter to 

9 prevent the flow of the Denial of Service packets, and forwarding the filter for use by an 

10 upstream device. This would have been obvious because the ordinary person skilled in the art at 

1 1 the time of invention would have been motivated to protect the network from Denial of Service 

12 attacks. 

13 Regarding claims 32, 41, and 50, Trcka and Stevens disclosed a system for passively 

14 detecting computer viruses and malware and network attacks in a distributed computing 

15 environment (See Trcka Abstract), comprising: a network interface receiving copies of 

16 datagrams transiting a boundary of a network domain into an incoming packet queue (See Trcka 

17 Col. 2 Lines 29-34, Col. 4 Lines 2-11, and Col. 7 Lines 28-32, and Col. 12 Lines 29-40), each 

18 datagram being copied from a packet stream (See Trcka Col. 14 Lines 34-36); a packet receiver 

19 reassembling one or more such datagrams from the incoming packet queue into network protocol 

20 packets, each staged in a reassembled packet queue (See Stevens Pages 4-11 and the rejection of 

21 claim 1 above); an antivirus scanner scanning each network protocol packet from the 

22 reassembled packet queue to ascertain an infection of at least one of a computer virus and 
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1 malware (See Trcka Col. 3 Line 66 - Col. 4 Line 16) ; and an event correlator evaluating events 

2 identified from the datagrams in the packet stream to detect network attack on the network 

3 domain (See Trcka Abstract and Col. 13 Lines 5-15) ; wherein a protocol-specific module 

4 processes each reassembled datagram, based on an upper protocol layer employed by the 

5 reassembled datagram (See Stevens Page 1 1 and the rejection of claim 1 above), but Trcka and 

6 Stevens failed to specifically disclose detection of Denial of Service type network attacks. 

7 Cheriton teaches that in a network, denial of service attacks can result in significant loss 

8 of time and money for many organizations (See Cheriton Col. 1 Lines 19-21), and further 

9 teaches detection of denial of service attacks (See Cheriton Col. 3 Lines 29-45) and teaches 

10 generation and refinement of filters for stopping the attack packets, and forwarding these filters 

1 1 upstream (See Cheriton Col. 2 Lines 16-24 and Col. 3 Lines 29-45, and Claim 7). 

12 It would have been obvious to the ordinary person skilled in the art at the time of 

13 invention to employ the teachings of Cheriton in the network surveillance system of Trcka and 

14 Stevens by detecting Denial of Service attacks, and upon detection of such, creating a filter to 

1 5 prevent the flow of the Denial of Service packets, and forwarding the filter for use by an 

16 upstream device. This would have been obvious because the ordinary person skilled in the art at 

17 the time of invention would have been motivated to protect the network from Denial of Service 

1 8 attacks. 

19 Regarding claims 33 and 42, Trcka, Stevens and Cheriton disclosed a parser parsing each 

20 reassembled datagram into network protocol-specific information and packet content (See 

21 Stevens Page 11). 
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1 Regarding claims 34 and 43, Trcka, Stevens and Cheriton disclosed extracting the header 

2 information from the packets (See the rejection of claim 33 above), but failed to disclose 

3 specifically what information was contained in the headers. It was well known in the art at the 

4 time of invention that the headers of HTTP messages contained a source address and port 

5 number, a destination address and port number, and a URL, the headers of an FTP message 

6 contained the filename and username, and the headers for the SMTP contained the sender 



7 identifier, receiver identifier, and subject. As such, it would have been obvious to the ordinary 

8 person skilled in the art at the time of invention to employ what was well known by extracting 

9 the header information from the headers of the packets. This would have been obvious because 

10 the ordinary person would have been motivated to extract what was known to be contained in the 

1 1 header. 



12 Regarding claims 35 and 44, Trcka, Stevens, and Cheriton disclosed a decoder decoding 

13 the packet content prior to performing the operation of scanning (See Stevens Page 1 1 and the 

14 rejection of claim 1 above). 

15 Regarding claims 36 and 45, Trcka, Stevens, and Cheriton disclosed a log logging an 

16 occurrence of at least one of the infection and the network attack (See Trcka Col. 17 Lines 38- 

17 40). 

18 Regarding claims 37, and 46, Trcka, Stevens, and Cheriton disclosed a warning module 

19 generating a warning responsive to an occurrence of at least one of the infection and the network 

20 attack (See Trcka Col. 13 Lines 1-15). 

21 Regarding claims 38 and 47, Trcka, Stevens, and Cheriton disclosed a spoof module 

22 sending a spoofed network protocol packet responsive to an occurrence of at least one of the 
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1 infection and network attack (See Cheriton col. 10 Line 41- Col. 1 1 Line 8 and Trcka Col. 17 

2 Lines 37-39, wherein it would have been obvious to the ordinary person skilled in the art to send 

3 the detected spoofed packet to the log). 

4 Regarding claim 51, Trcka, Stevens, and Cheriton disclosed that the network protocol 

5 packets employ at least one of F[TTP, FTP, SMTP, POP3, NNTP, and Gnutella network 

6 protocols (See Trcka Col. 18 Paragraphs 1-2). 

7 Regarding claim 52, Trcka, Stevens, and Cheriton disclosed that only datagrams 

8 compliant with IP protocol are reassembled (See Trcka Entire reference wherein only IP 

9 compliant protocols are disclosed). 
10 

11 

12 Claims 15, and 30 are rejected under 35 U.S.C. 103(a) as being unpatentable over Trcka 

13 and Stevens as applied to claims 1 and 16 above, and further in view of Hailpern et al. (US 

14 Patent Number 6,275,937) hereinafter referred to as Hailpern. 

15 Trcka and Stevens disclosed a system for scanning IP network packets for viruses (See 

16 the rejection of claim 1 above), but failed to disclose that all the incoming messages were SMTP 

17 compliant, and therefore TCP compliant. 

1 8 Hailpern teaches that virus scanning should be set up for each network protocol proxy, 

19 including E-mail, in order to scan for viruses (See Hailpern Col. 4 Lines 1-13). 

20 It would have been obvious to the ordinary person skilled in the art to employ the 

21 teachings of Hailpern in the virus scanning system of Trcka and Stevens by modifying mail 

22 servers to contain the scanning system of Trcka and Stevens. This would have been obvious 
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1 because the ordinary person skilled in the art would have been motivated to enable the proxies to 

2 be able to scan the types of communications they already process and therefore reduce network 

3 traffic and delay. Further, SMTP mail servers were well known in the art at the time of 

4 invention, and it would have been obvious to utilize the scanning system of Trcka and Stevens in 

5 an SMTP mail server. This would have been obvious because the ordinary person skilled in the 

6 art would have been motivated to protect SMTP mail servers from viruses. 

7 Claims 40, 49, and 52 are rejected under 35 U.S.C. 103(a) as being unpatentable over 

8 Trcka and Stevens and Cheriton as applied to claims 32 and 41 above, and further in view of 

9 Hailpern et al. (US Patent Number 6,275,937) hereinafter referred to as Hailpern. 

10 Trcka, Stevens, and Cheriton disclosed a system for scanning IP network packets for 

1 1 viruses (See the rejection of claim 1 above), but failed to disclose that all the incoming messages 

12 were SMTP compliant, and therefore TCP/IP compliant. 

13 Hailpern teaches that virus scanning should be set up for each network protocol proxy, 

14 including E-mail, in order to scan for viruses (See Hailpern Col. 4 Lines 1-13). 

1 5 It would have been obvious to the ordinary person skilled in the art to employ the 

16 teachings of Hailpern in the virus scanning system of Trcka, Stevens, and Cheriton by modifying 

17 mail servers to contain the scanning system of Trcka, Stevens, and Cheriton. This would have 

18 been obvious because the ordinary person skilled in the art would have been motivated to enable 

19 the proxies to be able to scan the types of communications they already process and therefore 

20 reduce network traffic and delay. Further, SMTP mail servers were well known in the art at the 

21 time of invention, and it would have been obvious to utilize the scanning system of Trcka and 

22 Stevens, and Cheriton in an SMTP mail server. This would have been obvious because the 
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1 ordinary person skilled in the art would have been motivated to protect SMTP mail servers from 

2 viruses. 

3 Claims 53-54 are rejected under 35 U. S C. 1 03(a) as being unpatentable over Trcka, 

4 Stevens, and Cheriton as applied to claim 32 above, and further in view of Epstein et al. (US 

5 Patent Number 6,684,329) hereinafter referred to as Epstein. 

6 Trcka, Stevens, and Cheriton disclosed scanning packets for viruses (See Trcka Col. 1 1 

7 Lines 1-4), but failed to disclose sub-modules which each scan one of HTTP, FTP, SMTP, and 

8 NNTP packets. 

9 Epstein teaches that in a firewall which scans for viruses, proxy sub-modules should be 

10 provided in the firewall for each of HTTP, FTP, SMTP, and NNTP protocol packets (See Epstein 

1 1 Col. 1 Lines 27-53 and Col. 3 Lines 8-21). 

12 It would have been obvious to the ordinary person skilled in the art at the time of 



13 invention to employ the teachings of Epstein in the virus scanning of Trcka, Stevens, and 

14 Cheriton by providing protocol specific proxy servers in the surveillance module to scan each of 

15 HTTP, SMTP, FTP, and NNTP packets. This would have been obvious because the ordinary 

16 person skilled in the art would have been motivated to provide the network administrator with 

1 7 greater control over the traffic which traversed the network. 
18 

19 

20 Conclusion 

21 Claims 1-10, 13-25, 28-38, 40-47, and 49-55 have been rejected. 
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Any inquiry concerning this communication or earlier communications from the 



2 examiner should be directed to Matthew T. Henning whose telephone number is (571) 272-3790. 

3 The examiner can normally be reached on M-F 8-4. 



5 supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 

6 organization where this application or proceeding is assigned is 571-273-8300. 



8 Application Information Retrieval (PAIR) system. Status information for published applications 

9 may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 

10 applications is available through Private PAIR only. For more information about the PAIR 

1 1 system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 

1 2 system, contact the Electronic Business Center (EBC) at 866-2 1 7-9 1 97 (toll-free). 



4 



If attempts to reach the examiner by telephone are unsuccessful, the examiner's 



7 



Information regarding the status of an application may be obtained from the Patent 
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Assistant Examiner 
Art Unit 2131 
8/28/2007 
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